[liberationtech] W3C WebCrypto Last Call for Comments *today*

[carlo von lynX]

Thank you for a faceted browser API.

When Netscape introduced livescript in 1995, who would
have thought it would have one day be employed for
opportunistic end-to-end encryption and similar jobs.

I would kindly ask you to mention in the opening words
that such an API can only be used in an "opportunistic"
fashion as the JS code intended to use this API itself
somehow has to be delivered to the browser, which is an
as yet unsolved problem considering the failures of
certification authorities in the past.

There is a fundamental flaw in the security architecture
of the web and this new API does not address that.

Please make that clear, or you may stir false hopes and
become responsible for potential consequences. People may
be developing sensitive applications with this, not being
aware that any certification authority of any country on
earth can insert malicious code.

Best,  CvL


-- 
	    http://youbroketheinternet.org
 ircs://psyced.org/youbroketheinternet